Re: Can't use Bind DLZ through LDAPS SSL

Ted Mittelstaedt Fri, 12 Feb 2021 01:30:41 -0800

Instead of beating your head against DLZ can't you simply put the DLZquery into stunnel and connect to the openldap server that way?

Ted


On 2/11/2021 10:39 PM, Dario García Díaz-Miguel wrote:

Hi there,

I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid 
that I could not have any responses from the BIND DLZ mail list and, since this seems to 
be an "official" plugin and it's compiled on the bind9 package from the SuSE15 
SP2 repository I will try to ask it over here.
I've deployed an OpenLDAP using the security options recommended by my 
cybersecurity team:

- olcSecurity: ssf=256
- olcLocalSSF: 256
- olcRequires: authc
- olcDisallow: bind_anon
- olcTLSVerifyClient: try

So essentially right now is required to use certificates and LDAPS in order to 
bind to the OpenLDAP server. Otherwise a Confidential error will appear since 
TLS SSL Handshake is not possible. Well, this is the expected behavior.
All the software of the environment works flawlessly using the SSL Certificates 
through LDAPS SSL except Bind DLZ. I could not find the way to configure it to 
use SSL.

The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) 
from the SUSE 15 SP2 repository.

Could anybody help me?

Thank you so much.
Regards.



Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com









P Please consider the environment before printing this e-mail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't use Bind DLZ through LDAPS SSL

Reply via email to